Internal Certificate Chain Error
I wrote my first PowerShell script that accesses a short-cut (.lnk),
to obtain its target, and then access that target to copy all of the files in that target directory to another directory.
It works fine on my lap-top. I have admin privileges on my lap-top so I could easily change my executionPolicy to remoteSigned. The person who really is going to run the script only has "AllSigned" executionPolicy. And he does not have admin on his lap-top so he cannot change his exeuctionPolicy.
So, I read some articles about certificates and signing files. This certificate facility is new to me.
I found some scripts which allowed me to create a ".cer" certificate. And I exported it.
I found a script that allows me to sign a file. I ran that script and it looks like it signed the file.
== script ==============================================
# *** sos *************************************************************
# * Return the target directory locatin of a ".lnk" type object *
# *********************************************************************
#
function link_target( $link)
{
$shell = New-Object -com wscript.shell
$lnk = $shell.CreateShortcut($link)
$tgt = $lnk.TargetPath
return $tgt
}
#
# *** eos *************************************************************
del c:\ISSS\Reports\*.xls -exclude *_report.xls
$s = link_target("C:\Source_locations\User_reports.lnk")
dir C:\ISSS\Reports\*.xls
copy $s\*.xls C:\Reports# SIG # Begin signature block
# MIIEMwYJKoZIhvcNAQcCoIIEJDCCBCACAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR
# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQU1me2pCTaKosL7n9ON5WMAEYT
# +nSgggI9MIICOTCCAaagAwIBAgIQmdia+k7om71HpfJvI46IADAJBgUrDgMCHQUA
# MCwxKjAoBgNVBAMTIVBvd2VyU2hlbGwgTG9jYWwgQ2VydGlmaWNhdGUgUm9vdDAe
# Fw0wOTA2MTExOTQ2NDNaFw0zOTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMTD1Bvd2Vy
# U2hlbGwgVXNlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA04s/pKSzkAkU
# A1vP9TL9MhZ1+5JCXj6lYdlV9GUoHoX5lZBkXAY9NofXXeLwzcbQ9XqukvvQ73oN
# MxodIPJc84ngg6RQUDFm5lgjHgiTua/cczohCNyvfCV+kduP2fE8trnUqJokzxDI
# lN5zQHdfd7ptB+98rhTkabM3Dv6umz0CAwEAAaN2MHQwEwYDVR0lBAwwCgYIKwYB
# BQUHAwMwXQYDVR0BBFYwVIAQXvn0+W06mVY6T7MBJEkriKEuMCwxKjAoBgNVBAMT
# IVBvd2VyU2hlbGwgTG9jYWwgQ2VydGlmaWNhdGUgUm9vdIIQ6k4XJepngoFPl/yI
# L95tkzAJBgUrDgMCHQUAA4GBALGnM4LTHzi9IGH8NwMlliaICqyrFbtzJCa44t/9
# li2ijU9DReuA/stqiBmpFQX1/m4IQcc8Lbt9xcQg6kOakRXjiNFp2jWPPyXLmz7h
# XbSZvfTDq8Py69LNjYIwKRZIK9Gj37o+5D4l/sj6+c96+qw31DCbrvr6Bsm9mr3r
# OTX/MYIBYDCCAVwCAQEwQDAsMSowKAYDVQQDEyFQb3dlclNoZWxsIExvY2FsIENl
# cnRpZmljYXRlIFJvb3QCEJnYmvpO6Ju9R6XybyOOiAAwCQYFKw4DAhoFAKB4MBgG
# CisGAQQBgjcCAQwxCjAIoAKAAKECgAAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcC
# AQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYE
# FEYNyIl6IAawtsGKa0qU0J/+GxclMA0GCSqGSIb3DQEBAQUABIGAxrkRaHLev7G1
# QKU+0s/EH+xLr6BAR9UVl/pCxPiw5xuSc6pHBrwtFLXUN45pOCE0TP/ENEUdOYBM
# FgoOT5PrihJgGRaBFKhBK6bhhg/sRSduXvY/jz23WsCVDWXM2OI2iOU+CUrDRv3v
# cQw3tIT6qVv6qy11obITjKz2BCnblBY=
# SIG # End signature block
=== script ===============================================
It works correctly on my lap-top, but we receive "internal certificate chain error" when
we try to run it on his computer.
I did an export of my ".cer" file and we ran certmgr.msc on his computer and imported that certificate into his personal store. The certificate has the "all" properties.
Maybe my signing process did not use my certificate to sign it. I don't know.
Is this possible? How do I tell the sign script which certificate to use?
Here is the script I use to sign my scripts:
=== script ==============================================
## sign-file.ps1
## Sign a file
param([string] $file=$(throw "Please specify a filename."))
$cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
Set-AuthenticodeSignature $file $cert# SIG # Begin signature block
....
=== script =======================================
すべての返信
- Hi,
All certificate chain has to be trusted. You need a trusted root certification Authority which generate certificate to all users executing your script.
Check that the certification autority root certificate is stored in the Trusted Root Store.
Grégory Schiro - PowerShell MVP - PowerShell & MOF- 回答の候補に設定Grégory SchiroMVP2009年7月3日 8:26
- Hm, but what about this (my) case?
# my script folder:
$dir = "C:\Users\cas\Documents\sysTools\Windows PowerShell\prg"
$cert = @(Get-ChildItem cert:\CurrentUser\My -CodeSigning)[0]
foreach ($scr in Dir -path $dir -filter *.ps1) {
$scr = $dir+"\"+$scr
echo $scr
Set-AuthenticodeSignature $scr $cert
}
### done ###
this causes one script is valid, tow others have an unkonwn error ?
SignerCertificate Status Path
----------------- ------ ----
UnknownError get-Gmail.ps1
C:\Users\cas\Documents\sysTools\Windows PowerShell\prg\readDAXmail.ps1
UnknownError readDAXmail.ps1
C:\Users\cas\Documents\sysTools\Windows PowerShell\prg\send-TcpRequest.ps1
B305..B53D20 Valid send-TcpRequest.ps1
and a : get-childitem cert:\. -recurse -codesigningcert
prints to me:
Verzeichnis: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
Thumbprint Subject
---------- -------
B305..B53D20 CN=PowerShell User
The sig has been created by
So I think my local certificat was found, but why the ____ my scripts aren't sigend?
